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DETAILED ACTION 

1. Claims 1-45 are subject to examination. Claims 1, 10-12, 21-23, 32-35, 44 and 
45 have been cancelled. 

Response to Arguments 

2. Applicant's arguments filed October 21 , 2004 have been fully considered but they 
are not persuasive for the following reasons: 

The 35 U.S.C. S 102 & 103 Rejections: 

a. In response to Applicant's arguments "Generally, the Office Action states that the 
prior art discloses or suggests all of the claim elements and limitations. However, the 
claims have been amended to distinguish elements and limitations that are not taught or 
suggested by the prior art. Among these is that the updated client HTTP request 
frequency is based on HTTP "GET" and "POST" requests as claimed.", the claimed 
limitations include either HTTP "GET" or "POST" and not both. 

b. In response to Applicant's arguments "This is as opposed, for example, to Lin 
that only teaches "session establishment requests" (col. 2, lines 29-30), to Primeaux 
that only teaches "command usage patterns" (col. 4, line 7), and to Prabandham that 
only teaches "failed accesses.. .or.. .security failures" (col. 4, lines 61-64). ", (1) As it is 
well known in the art, in HTTP, the Web browser establishes a connection to a Web 
server and sends an HTTP request message to the server. In response to an HTTP 
request message, performs any requested action, and returns an HTTP response 
message containing an HTML document in accord with the requested action, or an error 
message. The returned HTML document may simply be a file stored on the Web 
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server, or may be created dynamically using a script called in response to the HTTP 
request message. For instance, to retrieve a document, a Web browser may send an 
HTTP request message to the indicated Web server, requesting a document by 
reference to the URL of the document. The Web server then retrieves the document 
and returns it in an HTTP response message to the Web browser. Request messages 
in HTTP contain a "method name" indicating the type of action to be performed by the 
server, a URL indicating a target object (either document or script) on the Web server, 
and other control information. The request methods defined in the current version of the 
HTTP protocol include GET, POST, PUT, HEAD, DELETE, LINK, and UNLINK. HEAD, 
DELETE, LINK and UNLINK are less commonly used. The GET method causes the 
server to retrieve the object indicated by the given URL and send it back to the client. If 
the URL refers to a document, then the server responds by sending back the document. 
If the URL refers to an executable script, then the server executes the script and returns 
the data produced by the execution of the script. Web browser programs normally use 
the GET method to send request messages to the Web server to retrieve HTML 
documents, which the Web browser then displays on the screen at the client computer. 
The POST method sends data, usually the user input parameters from an HTML form, 
to the server. The POST request also contains the URL of a script to be run on the 
server. The server runs the script, passing the parameters given in the request, and the 
script generates an HTML output that is returned in the response to the client. In order 
for a client program to send arbitrary data to the Web server using the current HTTP 
protocol, the client program must use either the PUT method or the POST method, as 
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these are the only two methods that allow such data transfer to the Web server. Web 
browsers generally use only the POST method and generally only for the purpose of 
sending data in connection with forms to be processed. That is why it is called session 
establishment requests as taught by the reference Lin . (2) As claimed in claim 1, 
filtering does include "updating a client HTTP request count when said request for said 
URL is a HTTP GET request or a HTTP POST request; and applying HTTP server 
denial of service attack preventative measures when a client HTTP request frequency 
based on said client HTTP request count exceeds a maximum HTTP request frequency. 
This is clearly taught by the reference Lin in col.2, lines 26-30. That is "In accordance 
with an aspect of the invention, the filter 106 employs a "rate limiting" mechanism to 
limit the rate of session establishment packet submission. For example, the filter may 
limit the rate to a particular number of session establishment requests per second" 
(frequency), and (3) In response to applicant's arguments against the references 
individually, one cannot show nonobviousness by attacking references individually 
where the rejections are based on combinations of references. See In re Keller, 642 
F.2d413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 
USPQ 375 (Fed. Cir. 1986). The reference Primeaux's invention discloses only as few 
as "5 commands" and any "critical commands". The reference teaches "a usage based 
pattern authenticator for monitoring and reporting on user usage patterns in an 
operating system using a set of security rules and user usage patterns.". The process 
and concepts are significant and of paramount importance for one having ordinary skill 
in the art to apply the same mechanism in the relevant scenarios, and in response to 



Application/Control Number: 09/734,952 
Art Unit: 2154 



Page 5 



arguments concerning the teaching of the reference Prabandham for applying the 
preventive measures and tracking the hackers (both potential and actual) by logging 
multiple failed accesses by a particular browser within a specific period of time or 
determine the frequency and type of various security failures promulgated by the user of 
a particular browser. The process and concepts are significant and of paramount 
importance for one having ordinary skill in the ad to apply the same mechanism in the 
relevant scenarios. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless- 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

4. Claims 2, 5, 13, 16, 24 and 27 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Lin et al. (hereinafter Lin)(US 6,751 , 668). 

Referring to claim 2, 

The reference teaches a method for preventing denial of service attacks (col.1 , lines 7- 
10) against Hypertext Transfer Protocol (HTTP) servers (col.2, lines 17-25) the method 
comprising: 
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receiving a HTTP request from a subscriber using a first communication network 
coupled to at least one other communication network, said request including a Universal 
Resource Locator (URL), (col.2 ( lines 21-25) 

receiving a profile for said subscriber; filtering said request to determine whether 
said subscriber is authorized to make said request based upon said profile, (col.2, lines 
63-66, col.4, lines 14-18) said filtering including: 

updating a client HTTP request count when said request is a HTTP "GET" 
request or a HTTP "POST" request; and applying HTTP server denial of service attack 
preventative measures when a client HTTP request frequency based on said client 
HTTP request count exceeds a maximum HTTP request frequency 
and forwarding said request to said at least one other communication network when 
said subscriber is authorized to make said request, (col.2, lines 26-62, col.4, lines 14- 
18). 

Referring to claim 5, 

The reference teaches the method wherein said applying further comprises dropping 
the data packet containing said request when said client HTTP request frequency 
exceeds said maximum HTTP request frequency. (col. 2, lines 33-39, lines 63-66). 
Referring to claim 13, 

Claim 13 is a claim to a program storage device readable by a machine, embodying a 
program of instructions executable by the machine to perform the steps of method of 
claim 2. Therefore, claim 13 is rejected for the reasons set forth for the claim 2. 
Referring to claim 16, 
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Claim 16 is a claim to a program storage device readable by a machine, embodying a 
program of instructions executable by the machine to perform the steps of method of 
claim 5. Therefore, claim 16 is rejected for the reasons set forth for the claim 5. 
Referring to claim 24, 

Claim 24 is a claim to an apparatus carrying out the method of claim 2. Therefore, 
claim 24 is rejected for the reasons set forth for the claim 2. 
Referring to claim 27, 

Claim 27 is a claim to an apparatus carrying out the method of claim 5. Therefore, 
claim 27 is rejected for the reasons set forth for the claim 5. 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 3, 4, 6, 14, 15, 17-20, 25, 26 and 29-31 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Lin et al. (hereinafter Lin)(US 6,751, 668) in view of 
Primeaux et al. (hereinafter Primeaux) (US 6,334,121). 

Referring to claims 3 and 4, 

Keeping in mind the teachings of the reference Lin as stated above, the reference fails 
to teach setting an alarm when said client HTTP request frequency exceeds said 
maximum HTTP request frequency and sending said alarm to an Internet Service 
Provider (ISP) associated with subscriber . The reference Primeaux teaches the action 
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taken could be defined to suspend the user account or merely mail a message to the 
system administrator (sending alarm to an Internet Service Provider (ISP) associated 
with subscriber), warning of a potential intruder including the category of users such as 
Yes-definitely the appropriate user, No--definitely an intruder and Yes/No-may or may 
not be the appropriate user. (col. 10, lines 50-59). The reference also teaches that if the 
usage pattern is outside of the user's normal usage pattern, this triggers the system to 
react automatically. The reaction of the system is adjustable and will depend primarily 
on the nature and the degree of destructiveness of a particular command and the level 
of security awareness that the software is set for (dropping the data packet containing 
request). Various levels of security are determined by the list of commands deemed 
critical by the system administrator, (col. 10, lines 60-67). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time of invention was made to 
combine Lin's capabilities with Primeaux's usage pattern tracking capabilities and 
applying the attack preventive measures based on the set threshold levels such as 
client HTTP request frequency exceeding a maximum HTTP request frequency and 
setting an alarm to the ISP (the system administrator). 
Referring to claims 6, 7, 8 and 9, 

Keeping in mind the teachings of Lin as stated above, although the reference teaches 
disabling HTTP requests for a hold-down period when said client HTTP request 
frequency exceeds said maximum HTTP request frequency. (Fig. 4, "shaded area"), the 
reference fails to teach shutting down the account used to access first communication 
network when said client HTTP request frequency exceeds said maximum HTTP 
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request frequency and increasing said hold-down period each time said client HTTP 
request frequency exceeds said maximum HTTP request frequency, and wherein said 
hold-down period increases exponentially each time said client HTTP request frequency 
exceeds said maximum HTTP request frequency. The reference Primeaux teaches the 
action taken could be defined to suspend the user account (shutting down the account 
used to access and disabling HTTP requests for a hold-down period) or merely mail a 
message to the system administrator, warning of a potential intruder including the 
category of users such as Yes-definitely the appropriate user, No-definitely an intruder 
and Yes/No--may or may not be the appropriate user. (col. 10, lines 50-59). The 
reference also teaches that if the usage pattern is outside of the user's normal usage 
pattern, this triggers the system to react automatically. The reaction of the system is 
adjustable and will depend primarily on the nature and the degree of destructiveness of 
a particular command and the level of security awareness that the software is set for 
(hold-down period each time client HTTP request frequency exceeds said maximum 
HTTP request frequency and hold-down period increases exponentially each time client 
HTTP request frequency exceeds maximum HTTP request frequency). Various levels of 
security are determined by the list of commands deemed critical by the system 
administrator, (col. 10, lines 60-67). Therefore, it would have been obvious to one 
having ordinary skill in the art at the time of invention was made to combine Lin with 
Primeaux's usage pattern tracking capabilities based on the normal commands such as 
a HTTP "GET" request or a HTTP "POST" request; and applying the attack preventive 
measures based on the set threshold levels such as client HTTP request frequency 
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exceeding a maximum HTTP request frequency set by the security rules and to 
suspend the user account (shutting down the account used to access and disabling 
HTTP requests for a hold-down period) as desired, based on the level of security 
awareness that the software is set for (hold-down period each time client HTTP request 
frequency exceeds said maximum HTTP request frequency and hold-down period 
increases exponentially each-time HTTP frequency exceeds maximum HTTP request 
frequency) when client HTTP request frequency exceeds a maximum HTTP frequency. 
This provides a system wherein the system will detect a difference in the pattern of 
usage. When such a difference is detected, the system will take the appropriate action. 
Referring to claims 14 and 15, 

Claims 14 and 15 are claims to a program storage device readable by a machine, 
embodying a program of instructions executable by the machine to perform the steps of 
method of claims 3 and 4. Therefore, claims 14 arid 15 are rejected for the reasons set 
forth for the claims 3 and 4. 
Referring to claims 17, 18, 19 and 20, 

Claims 17, 18, 19 and 20 are claims to a program storage device readable by a 
machine, embodying a program of instructions executable by the machine to perform 
the steps of method of claims 6, 7, 8 and 9. Therefore, claims 17, 18, 19 and 20 are 
rejected for the reasons set forth for the claims 6, 7, 8 and 9. 
Referring to claims 25 and 26, 

Claims 25 and 26 are claims to an apparatus carrying out the method of claims 3 and 4. 
Therefore, claims 25 and 26 are rejected for the reasons set forth for the claims 3 and 4. 
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Referring to claims 28, 29, 30 and 31, 

Claims 28, 29, 30 and 31 are claims to an apparatus carrying out the method of claims 

6, 7, 8 and 9. Therefore, claims 28, 29, 30 and 31 are rejected for the reasons set forth 
for the claims 6, 7, 8 and 9. 

7. Claims 36-43 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Lin et al. (hereinafter Lin)(US 6,751 , 668) in view of Primeaux et al. (hereinafter 
Primeaux) (US 6,334,121 ). as applied to claims above, and further in view of 
Prabandham et al. (hereinafter Prabandham)(US 6,701,438). 

Referring to claim 36, 

The reference Lin teaches a first receiving interface capable of accepting a HTTP 
request received from a subscriber using a first communication network., said request 
including a Universal Resource Locator (URL);(Fig. 1, element 106); a profile request 
generator capable of generating a profile request based upon said request; (col.2, lines 
63-66); a filter capable of determining whether said request is authorized based upon 
said requested profile, said filter including; an updater to update a client HTTP request 
count when said request for said URL is a HTTP "GET" request or a HTTP "POST" 
request', and 

a responder to apply HTTP server denial of service attack preventative measures when 
a client HTTP request frequency based on said client HTTP request count exceeds a 
maximum HTTP request frequency; (col.2, lines 26-66, col.4, lines 14-18). Keeping in 
mind the teachings of the references Lin and Primeaux, both of these references fails to 
a first forwarding interface capable of sending said profile request to an Authentication, 
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Authorization, and Accounting(AAA) server; a second receiving interface capable of 
accepting a requested profile; an authorizer capable of allowing said request to be 
forwarding on at least one other communication network coupled to said first 
communication network: and a second forwarding interface capable of forwarding said 
request on said at least one other communication network. The reference Prabandham 
teaches an authorizer capable of allowing said request said request to be forwarded on 
at least one other communication network coupled to said first communication network. 
(Fig. 2, element 216 and col.4, line 67 and col. 5, lines 1-8); a first forwarding interface 
capable of sending said profile request to an AAA server; (element 212 which has the 
first receiving interface which is AAA server); a second receiving inter-face capable of 
accepting a requested profile; and a second forwarding interface capable of forwarding 
said request on said at least one other communication network, (element 216's 
interfaces connected to element 212 and element 206). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time of invention was made to 
combine Lin with Primeaux's usage pattern tracking capabilities and Prabandham's 
security protocols. In this way, it will provide an alternative to the Lin's system for an 
user AAA verification, in addition to filter's capability to selectively passing some of the 
session establishment requests. 
Referring to claims 37 and 38, 

Claims 37 and 38 are rejected for the reasons set forth for the claims 3 and 4. 
Referring to claim 39, 
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The reference Lin teaches the method wherein the responder drops the data packet 
containing said request when said client HTTO request frequency exceeds said 
maximum HTTP request frequency.(col.2, lines 33-39, lines 63-66). 
Referring to claims 40, 41, 42 and 43, 

Claims 40, 41 , 42 and 43 are rejected for the reasons set forth for the claims 6,7,8 and 
9. 

Conclusion 

Examiner's note: Examiner has cited particular columns and line numbers in the 
references as applied to the claims above for the convenience of the applicant. 
Although the specified citations are representative of the teachings of the art and are 
applied to the specific limitations within the individual claim, other passages and figures 
may apply as well. It is respectfully requested from the applicant in preparing responses, 
to fully consider the references in entirety as potentially teaching all or part of the 
claimed invention, as well as the context of 
the passage as taught by the prior art or disclosed by the Examiner. 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
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extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ashok B. Patel whose telephone number is (571) 272- 
3972. The examiner can normally be reached on 8:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John A Follansbee can be reached on (571) 272-3964. The fax phone 
number for the organization where this application or proceeding is assigned is 703- 



Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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